Sunday, October 28, 2007

Authoritarianism is rampant in our society. Just last week I ran into at least 3 petty dictators. This can be anything from the local "Officer Friendly" telling you to "Move along", to bureaucratic government office secretaries guarding their tin-pot dictatorships with utter contempt for outsiders.

Hierarchy is everything to these petty people. Big Fish, Small Pond. But you must deal with them and it can be exasperating. Think DMV writ large.

I'll be discussing how to subvert the Panopticon society for our ends. Points to ponder in a future post are:1) The universal surveillance is ineffective for The Man, as no one is watching, and it acts to protect the system. 2a) We value government transparency and personal privacy. The government values government privacy and personal transparency.2b) We want to keep our secrets, while the government wants to see them, and vice versa.3) They can monitor the public spaces, even take your data, but we cannot effectively do this to them.

Dictators small and large hate spotlights. Atrocities are carried out in the dark, people are "disappeared." The way to combat petty abuses of petty power are the same as to combat great abuses of great power.

You will never win by complaining. You are doomed to pointlessness. There is nothing you can do to make the departmental secretary to care. She was there before you and she'll be there after you and she'll do nothing to help you. If you annoy her, she will make your life miserable.Here is how you fight back. Cops will lie and threaten. Flight attendants will make up rules and lie to you. "Because I said so" works for mom, but not for these little nuts. What you need is to spy on yourself. Record everything. Then you have a backup.Cops hate photographers, unfortunately for them,photographers have rights. (carry this on your person)There are lots of reasons to record everything in your life, besides just happening to have some crucial evidence to redeem yourself if you are threatened. In years to come, you may wish to recall conversations you had with others, perhaps after a death your records would console loved ones. Perhaps someone you associate with will become famous. Perhaps you yourself will want to hear what you sounded like as a young man or lady in 30 years time. Think of recordings of your mother and how they are precious to you.

Setting this up to be painless is easier than you might think. I'll have a simple post soon detailing equipment.

Tuesday, October 23, 2007

Leopard is coming out this week and has all kinds of great cryptic features that are security related. But when you want to find a good place to eat, find a fat person and follow him. In that spirit, I give you the Encyclopedia Dramatica's take on security.

"Security is a broad generalization; a meme of sorts used by the government, which means absolutely nothing. Security is often found at nightclubs, government establishments, and Jesus factories, but is never found on the internet."

Moar soon!

"They is perhaps the smartest person ever, and the perfect person to cite in an argument." omg pwniez

Bruce Schneier and other security gurus have written extensively about the false security of companies and organizations who fail to notify their customers, and the Consumerist.com regularly exposes companies trying to hide their ineptitude. The only solution to data theft is the same as the solution to the Tylenol product tampering case. Massive overwhelming immediate disclosure and response. Johnson & Johnson, to their credit, did not try to PR their way out of that mess. They knew there was only one way to save the company after millions of customers now feared their products, overwhelming action. Millions were spent to recall and destroy existing stocks of tylenol, and the company, this is key, *wanted you to know*.

LOFSA could have bought credibility by immediate disclosure and reassurance that they were doing everything to protect us, but they decided to try to hide. The TSA keeps losing laptops and reacts rather than pro-actively protects.

What does this have to do with you? Encrypt YOUR laptop, YOUR data. If it's bad enough for thieves to get your name and identity, imagine how bad it would be if they got your whole laptop. Encrypt today!

Tuesday, October 16, 2007

Remember that time that Mrs. Grumbly caught you putting crayons up your nose and threated to put it in your permanent file... OOOOOOOOHHH NOOOO! Where did you think she was sending it? That's right. The FBI, NSA, CIA, DHL, DDF, NAACP, and NAFTA. They *all* have a dossier on you, citizen. A few weeks ago I sent in my request for my DHS Travel Dossier (you didn't think it was really a "dossier" did you? eh? EH?! you betcha... good german.) Recently I've traveled quite a bit and according to my passport's electronic codes, I'm 129 years old, and no one noticed this, through like 7 countries and numerous airports. But I *did* remove my shoes, and liquids. I'm dying to know what they actually bothered to track about me, since my age was of no importance. Also, requesting your documents is basically free and takes about 10 minutes, no notary. UnsecureFlight.com hosts the "ATS Privacy Act Records Request" and the accompanying release form.

Now BoingBoing has post on getting your FBI file, neat! I can't wait to see what's in mine, and also to waste some bureaucrat's time. It's called getmyfbifile.com, here's what BoingBoing says, "This site helps you automatically generate the letters you need to send in to get your own FBI file ... and while you're at it, you can also get your NSA, CIA, DIA, DSS, Secret Service, etc. files too, just by checking a few boxes." I'm so excited, I want to cross-dress just so I get data-mined with J. Edgar Hoover. I'll update the blog with my results when they arrive.

Anecdote, I heard a story about a girl who applied to be a whitehouse intern and was questioned about having joined the "Objectivist club," which meant she had filled out a card on the back of an Ayn Rand novel and that somehow put her on a list! Imagine what kind of lists YOU'RE on! (This is another reason I've legally changed my name to "Void", just to screw up check cashing).

Sunday, October 14, 2007

You've secured your laptop now, according to best practices. You have turned on FileVault disk encryption, turned off unnessary services, disabled automatic login, etc.Now the bastards have to come after you the old fashioned way, they have to penetrate your code walls and steal your internets.

"But how can the dastardly FBI, NSA, DHL, Section 8 bastards break my code walls?" you ask. Easily. You are running multiple programs which phone home all the time and connect to other computers through sometimes lousy protocols or implementations. That Weatherbug may be more of a bug than you realize. First step is to run Little Snitch, which will tell you when applications connect to the net and give you the opportunity to deny them temporarily or permanently. Next run nmap on yourself to make sure you only have approved ports open. Now you've done your due diligence, but The Man won't give up!

You need a HIDS, a Host-based Intrusion Detection System. This kind of program will scan your machine and make sure that you haven't been pwned, running root-kits, badware, keyloggers or other garbage that the G-men (or romanian script-kiddies) would use to monitor you. Think it can't happen? There was a recent case where a mafioso was busted even though he used all kinds of crazy encryption on his machine. They used a sneak-and-peak warrant to sneak in his house and install some nosey-ware into his machine and then watched him for *months*!!! He'd have been better off if he was checking for file modifications. Don't think your mighty encryption will stop them. This ties into the above best practices by disallowing automatic login, etc. But remember, if they have physical access to your machine, life gets much more difficult.We'll cover how to defeat more advanced monitoring techniques in future posts. Remember, if they cannot just boot your machine and read it, they'll have no choice but to resort to more expensive/difficult and less effective techniques. Our goal is to get them to the point of using Van Eck Phreaking and having goatse as your screensaver. Heh.

Friday, October 12, 2007

My next project is in the style of Telstar Logistics, i.e. Urban Camouflage, or social engineering."One day, I had an epiphany -- if I disguised the van to look like a work vehicle, I'd be able to park in yellow-curb zones without getting parking tickets. "People love signs, especially low wage, rules-oriented mindless zombies. These people can be found everywhere such as DMVs, utility companies, airports, and especially universities. You can tell you're dealing with someone who values rules over reason if the conversation goes something like this:"Hi, I'd like to do X""I'm sorry, sir, you can't do X""Why not?""It's policy""Who has the authorization to override this?""It's policy"... as though that is the final answer.

Anyhow, let's mess with these people. Around LSU you will often see little yellow laminated signs stapled to sticks in front of random parking spots that say "Reserved for ####, good for TOWING ENFORCED". No one ever parks in front of them.The other day I went to school and saw a plastic sign in front of some spots that simply said "No Parking", and sure enough, no one parked there. I knew there was no event or anything, and the parking nazis never question their bosses or consult reason so these signs tend to stay. The next day, the sign was still there and still no one parked there... so I did. And then I kicked over the sign. When I got back to my car, I had no ticket and the sign was gone!So now I've made my own laminated sign on a stick and I'll keep it in my trunk and park wherever I feel like.Some people said, "but that's illegal!" Huh? Not unless you want to count it as littering. It's not my fault if other people listen to my signs! Freedom of speech baby!Pics coming soon.

Sunday, October 7, 2007

If I were homeless, I would spend all my spare time figuring out how to get into parking meters instead of bothering people for spare change. I mean look around! There's little boxes of money ($30-60 according to sources) spaced every 10 feet damned near everywhere in major cities.Why bum when you can surreptitiously slide in a home made rake and tension wrench into a parking meter and walk off with lunch, dinner, a pack of smokes *AND* some Thunderbird money.

The parking meters around here are manufactured by Duncan parking meter company and use quarters. There's probably a large number with no cameras, and if you time your attack to vary meters on varying days, or even just leave some change in each one, you'd likely never get caught.These guys got greedy. Besides, why use an angle grinder? That just alerts the meter maids to your presence. The keys on these meters are generally very short 5 pin models, not tubular, very easy to pick even for a novice.

Everyone robs ATMs because "that's where the money is." Teenagers spend countless hours trying to defeat vending machines (my personal favorite was to smash nickels until they are the size of quarters).

Next time you need laundry money and you realize you just dropped $.50 into the meter, think about it...

About this blog

Many blogs discuss security, either informational security or physical security. This blog is different. We discuss gray hat preparedness. What do YOU need to know how to do? What kit should you carry? We give real examples of theoretical vulnerabilities. Good guys need keys too.Cut the red tape. Use this stuff to make your life easier, and avoid so many of the stupid rules we have today.University security,Informational security,Social engineering.